CVE-2019-0708 BlueKeep RDP Remote Windows Kernel Use After Free

The RDP `termdd.sys` driver improperly handles binds to internal-only channel `MS_T120`,
allowing a malformed `Disconnect Provider Indication` message to cause use-after-free.
With a controllable data/size remote nonpaged pool spray, an indirect call gadget of
the freed channel is used to achieve arbitrary code execution.

**Windows 7 SP1** and **Windows Server 2008 R2** are the **only** currently supported targets.

Windows 7 SP1 should be exploitable in its default configuration, assuming your target
selection is correctly matched to the system's memory layout.

`HKLM\SYSTEM\CurrentControlSet\Control\TerminalServer\Winstations\RDP-Tcp\fDisableCam`
**needs** to be set to `0` for exploitation to succeed against **Windows Server 2008 R2**.
This is a **non-standard** configuration for normal servers, and the target **will crash** if
the aforementioned Registry key is not set!

If the target is crashing regardless, you will likely need to determine the non-paged
pool base in kernel memory and set it as the `GROOMBASE` option.

## Vulnerable Application

This exploit module currently targets these Windows systems running on several virtualized and physical targets.

* Windows 7 SP1 x64
* Windows 2008 R2 x64

XP and 2003 are currently not supported. Please see available targets by running the `show targets` command.

## Verification Steps

- [ ] Start `msfconsole`
- [ ] `use exploit/windows/rdp/cve_2019_0708_bluekeep_rce`
- [ ] `set RHOSTS` to Windows 7/2008 x64
- [ ] `set TARGET` based on target host characteristics
- [ ] `set PAYLOAD`
- [ ] `exploit`
- [ ] **Verify** that you get a shell
- [ ] **Verify** that you do not crash

## Options
